First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.
Here are Further Reading, Other Developments, and Coming Events.
- New Zealand’s Privacy Commissioner has begun the process of implementing the new Privacy Act 2020 and has started asking for input on the codes of practice that will effectuate the rewrite of the nation’s privacy laws. The Commissioner laid out the following schedule:
- Health Information Privacy Code and Justice Sector Unique Identifier Code
- Open: 15 July 2020 /Close: 12 August 2020
- Credit Reporting Privacy Code and Superannuation Schemes Unique Identifier Code
- Open: 22 July 2020 / Close: 19 August 2020
- Telecommunications Information Privacy Code and Civil Defence National Emergencies (Information Sharing) Code
- Open: 29 July 2020 / Close: 26 August 2020
- The Commissioner noted “[t]he new Privacy Act 2020 is set to come into force on 1 December…[and] makes several key reforms to New Zealand’s privacy law, including amendments to the information privacy principles.” The Commissioner added “[a]s a result, the six codes of practice made under the Privacy Act 1993 require replacement.”
- Health Information Privacy Code and Justice Sector Unique Identifier Code
- Australia’s 2020 Cyber Security Strategy Industry Advisory Panel issued its report and recommendations “to provide strategic advice to support the development of Australia’s 2020 Cyber Security Strategy.” The body was convened by the Minister for Home Affairs. The panel “recommendations are structured around a framework of five key pillars:
- Deterrence: The Government should establish clear consequences for those targeting businesses and Australians. A key priority is increasing transparency on Government investigative activity, more frequent attribution and consequences applied where appropriate, and strengthening the Australian Cyber Security Centre’s (ACSC’s) ability to disrupt cyber criminals by targeting the proceeds of cybercrime.
- Prevention: Prevention is vital and should include initiatives to help businesses and Australians remain safer online. Industry should increase its cyber security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber security harm. While Australians have access to trusted goods and services, they also need to be supported with advice on how to practice safe behaviours at home and work. A clear definition is required for what constitutes critical infrastructure and systems of national significance across the public and private sectors. This should be developed with consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for both the public and private sectors.
- Detection: There is clear need for the development of a mechanism between industry and Government for real-time sharing of threat information, beginning with critical infrastructure operators. The Government should also empower industry to automatically detect and block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
- Resilience: We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat. As a result, it is recommended that the Government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector. Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.
- Investment: The Joint Cyber Security Centre (JCSC) program is a highly valuable asset to form a key delivery mechanism for the initiatives under the 2020 Cyber Security Strategy should be strengthened. This should include increased resources and the establishment of a national board in partnership with industry, states and territories with an integrated governance structure underpinned by a charter outlining scope and deliverables.
- Six of the world’s data protection authorities issued an open letter to the teleconferencing companies “to set out our concerns, and to clarify our expectations and the steps you should be taking as Video Teleconferencing (VTC) companies to mitigate the identified risks and ultimately ensure that our citizens’ personal information is safeguarded in line with public expectations and protected from any harm.” The DPAs stated that “[t]he principles in this open letter set out some of the key areas to focus on to ensure that your VTC offering is not only compliant with data protection and privacy law around the world, but also helps build the trust and confidence of your userbase.” They added that “[w]e welcome responses to this open letter from VTC companies, by 30 September 2020, to demonstrate how they are taking these principles into account in the design and delivery of their services. Responses will be shared amongst the joint signatories to this letter.” The letter was drafted and signed by:
- The Privacy Commissioner of Canada
- The United Kingdom Information Commissioner’s Office
- The Office of the Australian Information Commissioner
- The Gibraltar Regulatory Authority
- The Office of the Privacy Commissioner for Personal Data, Hong Kong, China
- The Federal Data Protection and Information Commissioner of Switzerland
- The United States Office of the Comptroller of the Currency (OCC) “is reviewing its regulations on bank digital activities to ensure that its regulations continue to evolve with developments in the industry” and released an “advance notice of proposed rulemaking (ANPR) [that] solicits public input as part of this review” by 8 August 2020. The OCC explained:
- Over the past two decades, technological advances have transformed the financial industry, including the channels through which products and services are delivered and the nature of the products and services themselves. Fewer than fifteen years ago, smart phones with slide-out keyboards and limited touchscreen capability were newsworthy. Today, 49 percent of Americans bank on their phones, and 85 percent of American millennials use mobile banking.
- The first person-to-person (P2P) platform for money transfer services was established in 1998. Today, there are countless P2P payment options, and many Americans regularly use P2P to transfer funds. In 2003, Congress authorized digital copies of checks to be made and electronically processed. Today, remote deposit capture is the norm for many consumers. The first cryptocurrency was created in 2009; there are now over 1,000 rival cryptocurrencies, and approximately eight percent of Americans own cryptocurrency. Today, artificial intelligence (AI) and machine learning, biometrics, cloud computing, big data and data analytics, and distributed ledger and blockchain technology are used commonly or are emerging in the banking sector. Even the language used to describe these innovations is evolving, with the term “digital” now commonly used to encompass electronic, mobile, and other online activities.
- These technological developments have led to a wide range of new banking products and services delivered through innovative and more efficient channels in response to evolving customer preferences. Back-office banking operations have experienced significant changes as well. AI and machine learning play an increasing role, for example, in fraud identification, transaction monitoring, and loan underwriting and monitoring. And technology is fueling advances in payments. In addition, technological innovations are helping banks comply with the complex regulatory framework and enhance cybersecurity to more effectively protect bank and customer data and privacy. More and more banks, of all sizes and types, are entering into relationships with technology companies that enable banks and the technology companies to establish new delivery channels and business practices and develop new products to meet the needs of consumers, businesses, and communities. These relationships facilitate banks’ ability to reach new customers, better serve existing customers, and take advantage of cost efficiencies, which help them to remain competitive in a changing industry.
- Along with the opportunities presented by these technological changes, there are new challenges and risks. Banks should adjust their business models and practices to a new financial marketplace and changing customer demands. Banks are in an environment where they compete with non-bank entities that offer products and services that historically have only been offered by banks, while ensuring that their activities are consistent with the authority provided by a banking charter and safe and sound banking practices. Banks also must comply with applicable laws and regulations, including those focused on consumer protection and Bank Secrecy Act/anti-money laundering (BSA/AML) compliance. And, importantly, advanced persistent threats require banks to pay constant and close attention to increasing cybersecurity risks.
- Notwithstanding these challenges, the Federal banking system is well acquainted with and well positioned for change, which has been a hallmark of this system since its inception. The OCC’s support of responsible innovation throughout its history has helped facilitate the successful evolution of the industry. The OCC has long understood that the banking business is not frozen in time and agrees with the statement made over forty years ago by the U.S. Court of Appeals for the Ninth Circuit: “the powers of national banks must be construed so as to permit the use of new ways of conducting the very old business of banking.”  Accordingly, the OCC has sought to regulate banking in ways that allow for the responsible creation or adoption of technological advances and to establish a regulatory and supervisory framework that allows banking to evolve, while ensuring that safety and soundness and the fair treatment of customers is preserved.
- A trio of House of Representatives Members have introduced “legislation to put American consumers in the driver’s seat by giving them clearer knowledge about the technology they are purchasing.” The “Informing Consumers about Smart Devices Act” (H.R.7583) was drafted and released by Representatives John Curtis (R-UT), Seth Moulton (D-MA), and Gus Bilirakis (R-FL) and according to their press release, it would:
- The legislation is in response to reports about household devices listening to individuals’ conversations without their knowledge. While some manufacturers have taken steps to more clearly label their products with listening devices, this legislation would make this information more obvious to consumers without overly burdensome requirements on producers of these devices.
- Specifically, the bill requires the Federal Trade Commission (FTC) to work alongside industry leaders to establish guidelines for properly disclosing the potential for their products to contain audio or visual recording capabilities. To ensure this does not become an overly burdensome labeling requirement, the legislation provides manufacturers the option of requesting customized guidance from the FTC that fits within their existing marketing or branding practices in addition to permitting these disclosures pre or post-sale of their products.
- House Oversight and Reform Committee Ranking Member James Comer (R-KY) sent Twitter CEO Jack Dorsey a letter regarding last week’s hack, asking for answers to his questions about the security practices of the platform. Government Operations Subcommittee Ranking Member Jody Hice (R-GA) and 18 other Republicans also wrote Dorsey demanding an explanation of “Twitter’s intent and use of tools labeled ‘SEARCH BLACKLIST’ and ‘TRENDS BLACKLIST’ shown in the leaked screenshots.”
- The United States Court of Appeals for the District of Columbia has ruled against United States Agency for Global Media (USAGM) head Michael Pack and enjoined his efforts to fire the board of the Open Technology Fund (OTF). The court stated “it appears likely that the district court correctly concluded that 22 U.S.C. § 6209(d) does not grant the Chief Executive Officer of the United States Agency for Global Media, Michael Pack, with the authority to remove and replace members of OTF’s board.” Four removed members of the OTF Board had filed suit against pack. Yesterday, District of Columbia Attorney General Karl Racine (D) filed suit against USAGM, arguing that Pack violated District of Columbia law by dissolving the OTF Board and creating a new one.
- Three advocacy organizations have lodged their opposition to the “California Privacy Rights Act” (aka Proposition 24) that will be on the ballot this fall in California. The American Civil Liberties Union, the California Alliance for Retired Americans, and Color of Change are speaking out against the bill because “it stacks the deck in favor of big tech corporations and reduces your privacy rights.” Industry groups have also started advertising and advocating against the statute that would rewrite the “California Consumer Privacy Act” (CCPA) (AB 375).
- “Facebook adds info label to Trump post about elections” – The Hill. Facebook has followed Twitter in appending information to posts of President Donald Trump that implicitly rebut his false claims about fraud and mail-in voting. Interestingly, they also appended information to posts of former Vice President Joe Biden that merely asked people to vote Trump out in November. If Facebook continues this policy, it is likely to stoke the ire of Republicans, many of whom claim that the platform and others are biased against conservative voices and viewpoints.
- “Ajit Pai urges states to cap prison phone rates after he helped kill FCC caps” – Ars Technica. The chair of the Federal Communications Commission (FC) is imploring states to regulate the egregious rates charged on payphones to the incarcerated in prison. The rub here is that Pai fought against Obama-era FCC efforts to regulate these practices, claiming the agency lacked the jurisdiction to police intrastate calls. Pai pulled the plug on the agency’s efforts to fight for these powers in court when he became chair.
- “Twitter bans 7,000 QAnon accounts, limits 150,000 others as part of broad crackdown” – NBC News. Today, Twitter announced it was suspending thousands of account of conspiracy theorists who believe a great number of untrue things, namely the “deep state” of the United States is working to thwart the presidency of Donald Trump. Twitter announced in a tweet: “[w]e will permanently suspend accounts Tweeting about these topics that we know are engaged in violations of our multi-account policy, coordinating abuse around individual victims, or are attempting to evade a previous suspension — something we’ve seen more of in recent weeks.” This practice, alternately called brigading or swarming, has been employed on a number of celebrities who are alleged to be engaging in pedophilia. The group, QAnon, has even been quoted or supported by Members of the Republican Party, some of whom may see Twitter’s actions as ideological.
- “Russia and China’s vaccine hacks don’t violate rules of road for cyberspace, experts say” – The Washington Post. Contrary to the claims of the British, Canadian, and American governments, attempts by other nations to hack into COVID-19 research is not counter to cyber norms these and other nations have been pushing to make the rules of the road. The experts interviewed for the article are far more concerned about the long term effects of President Donald Trump allowing the Central Intelligence Agency to start launching cyber attacks when and how it wishes.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.